Last week, independent lab AV-Test released its findings from an 18-month study looking at malware being delivered through search engines. The big piece for us and our readers was that Bing returned almost five times as much malware than Google, but it still wasn't the leader according to AV-Test. That title went to the Russian search engine Yandex, who has since challenged AV-Test's results.
Yandex Wants Answers
In a statement, Yandex posed several questions—some of which were echoed in our comments—about AV-Test's methodology. Yandex wanted to know how AV-Test defined malware, why the sample sizes varied so dramatically, how the information for the study was gathered, and so on.
Yandex also pointed out that the company does not, as a rule, filter its results for malware. "Yandex uses its own proprietary antivirus technology to protect users from malicious software," reads an email from the company. "Yandex marks the infected webpages in its search results in order to notify users of unsafe content. We just notify users of possible consequences and do not block access to the webpage completely."
AV-Test Responds
The German testing lab told SecurityWatch that it defined malicious sites as those that, "spread known malware or exhibit malicious behavior, including websites containing drive-by-downloads or direct downloads of malicious binaries."
As to how the malicious sites were counted, AV-Test explained that it used four methods of verification. First, all sites were examined for suspicious behavior, including obfuscated Javascript, hidden iframes, and unusual redirects among other things. Sites that had any of these features then went into the company's dynamic analysis system, which looks for malicious behavior—such as known exploits.
In addition to dynamic analysis, AV-Test uses lists of known malicious content and sites. "We apply extended static checks on the website content," said AV-Test. "So we were able to identify already known exploits or malware binaries according to our data."
As part of their regular anti-virus testing, which we routinely cover, AV-Test pits off-the-shelf software against malicious URLs. The lab then integrated this "real-world testing" into the study. The company explained that, "a big part of the suspicious URLs were also tested against Anti-Virus products as part of our regular public testing."
Suspicious URLs were also cross-checked against other malware databases, such as Malwaredomainlist and Zeustracker.
A Different Kind of Test
AV-Test also addressed Yandex's point about their anti-malware solution noting that the search engine isn't alone in placing warnings near suspicious links. "Most if not all search engines do this to some extent," AV-Test told security watch.
"But that was not part of this study," continued AV-Test. "We tested, how many malicious websites can make it into the index of the search engine and stay there for a while." This is a critical distinction, since it doesn't really address which search engine is "safer" but how search engines are used by the bad guys to spread malware.
AV-Test said that to determine the efficacy of Yandex's anti-malware system, they would have to design a new study that looked at how many malicious websites the search engine correctly identified. Such a study would also have to look at whether the warnings are easy to see and correctly interpreted by users, how fast the warnings appear, and how many false positives appear.
Going Forward
Yandex and AV-Test are apparently engaging in "friendly" talks about the issue, but it still leaves some questions unanswered. However, one thing is absolutely clear: attackers are actively using search engine optimization to spread malware through search engine results.
How search engines choose to deal with this issue is up to them, and their business model. The fact is that while Yandex may have other means to protect its users, the malicious results are still there. The same is true for Google, Bing, and the other sites in the study.
The Real Threat
Another point that many of our readers discussed was whether or not this tactic constituted an actual threat. AV-Test acknowledged that the chance of an individual encountering malware through a search engine is extremely low, but that's not the game attackers are playing. They're banking on the fact that Google alone processes 2-3 billion searches a day. That adds up to about 50,000 malicious results a day, worldwide. As is usually the case with malware attacks, it's not about you it's about the numbers.
On top of that, AV-Test noted that many of these malicious sites are employing search engine optimization techniques (or SEO, for those hip to the lingo). These are some of the same techniques that help news sites and blogs raise their search results, artificially or fairly, in order to get noticed on Google. These are not random encounters; they're targeted to relevant, topical results in the hopes of hitting as many victims as possible.
The takeaway is still the same: stay safe, click smart, and get some kind of security software.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
